1

CIS 5371 Cryptography

4. Collision Resistant Hash Functions

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2

Collision ResistanceA collision in a function H is a pair of distinct inputs x, x’ Collision resistance is trivial to achieve if compression is not required (take for example the identity function)We shall be dealing with a family of hash functions indexed by a key s.That is H will take as input a key s and a string x and output a string:

3

Definition 5.1, Hash Function

A hash function is a pair of probabilistic polynomial-time algorithms such that:• takes input the security parameter and outputs a key .• There is a polynomial such that takes as input a key and a string and .

4

A collision finding experiment -(A,)

5

Definition 4.12 Collision Resistant Hash Function

A hash function is collision resistant, if for all probabilistic polynomial-time adversaries there is a function such that: -

6

Weaker notions of security for Hash Functions 1. Collision resistance. The strongest notion, as defined earlier.2. Second pre-image resistance. Informally, given a key and a string it is infeasible for a probabilistic polynomial-time adversary to find such that 3. Pre-image resistance Informally, given a key and a string (but not ) for a randomly chosen it is infeasible for a probabilistic polynomial-time adversary to find such that

7

Weaker notions of security for Hash Functions 1.Collision resistance Second pre-image resistance If given the adversary can find such that pair

with 2.Second pre-image resistance Pre-image resistance If it were possible to invert and find an such that , then it would be possible to take a given input , compute , and then invert to find such that

8

Generic birthday attack Birthday problemLet be a hash function .Assume that the values are uniformly distributed in and independent .Assume that arbitrary inputs are selected.Then the probability that there is a collision using hash evaluations is greater that .½The time taken is .(One has to sort outputs---assume that one can evaluate a hash function in constant time.)

9

Improved birthday attack

Memory is a scarcer resource than time: storing hash evaluations is costly.

10

Improved birthday attack Improved birthday attackLet be a hash function.Select . For Compute and . If there is a collusion; else continue.It can be shown that we get a collision with probability roughly in steps.½

11

Construction 4.12 The Merkle-Damgaard transform is a fixed-length collision-resistant hash function with inputs of length and outputs . A variable-length hash function is constructed as follows.• : on input , output key .• H : on input and, do:1. Set , pad so that it can be parsed into blocks of length . Set ( bits). 2. Set .3. For , compute ).4. Output

12

The Merkle-Damgaard transform

𝑥1 𝑥2 𝑥𝐵 𝑥𝐵+1=𝐿

𝑧 0 𝑧1 𝑧𝐵. . . h𝑠h𝑠h𝑠h𝑠

(=)

𝑧𝐵+1

13

Theorem 4.14

If is a fixed-length collision-resistant hash function then is a collision-resistant hash function.